Zyxel security advisory for incorrect permission assignment and improper privilege management vulnerabilities in USG FLEX H series firewalls

CVEs: CVE-2025-1731, CVE-2025-1732

Summary

Zyxel has released patches to address incorrect permission assignment and improper privilege management vulnerabilities in the USG FLEX H series firewalls. Users are advised to install them for optimal protection.

What are the vulnerabilities?

CVE-2025-1731

The incorrect permission assignment vulnerability in the PostgreSQL commands of certain USG FLEX H series uOS firmware versions could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Note that modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.

CVE-2025-1732

The improper privilege management vulnerability in the recovery function of certain USG FLEX H series uOS firmware versions could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we've identified only one vulnerable series of products within the vulnerability support period and released patches to address the vulnerabilities, as shown in the table below. Please note that all on-market products not listed in the table are unaffected.

Got a question?

Please contact your local service rep or visit Zyxel's Community for further information or assistance.

Acknowledgment

Thanks to the following security researchers and consultancies:

• Alessandro Sgreccia from HackerHood and Marco Ivaldi from HN Security for CVE-2025-1731
• Alessandro Sgreccia from HackerHood for CVE-2025-1732

Revision history

2025-4-22: Initial release